Allow root CA to be added through config maps

2025-03-11 15:38:05 +01:00 · 2025-03-11 15:38:05 +01:00 · ae4a00b4bc
commit ae4a00b4bc
parent 30fe11eccf
16 changed files with 516 additions and 48 deletions
--- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/serverstransport.go
+++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/serverstransport.go
@ -31,7 +31,10 @@ type ServersTransportSpec struct {
 	ServerName string `json:"serverName,omitempty"`
 	// InsecureSkipVerify disables SSL certificate verification.
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+	// RootCAs defines a list of CA certificate Secrets or ConfigMaps used to validate server certificates.
+	RootCAs []RootCA `json:"rootCAs,omitempty"`
 	// RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+	// Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
 	RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
 	// CertificatesSecrets defines a list of secret storing client certificates for mTLS.
 	CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
@ -74,6 +77,20 @@ type ForwardingTimeouts struct {
 	PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"`
 }

+// +k8s:deepcopy-gen=true
+
+// RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
+// If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
+// +kubebuilder:validation:XValidation:rule="has(self.secret) && has(self.configMap)",message="RootCA cannot have both Secret and ConfigMap defined."
+type RootCA struct {
+	// Secret defines the name of a Secret that holds a CA certificate.
+	// The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
+	Secret *string `json:"secret,omitempty"`
+	// ConfigMap defines the name of a ConfigMap that holds a CA certificate.
+	// The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
+	ConfigMap *string `json:"configMap,omitempty"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

 // ServersTransportList is a collection of ServersTransport resources.
--- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/serverstransporttcp.go
+++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/serverstransporttcp.go
@ -49,7 +49,10 @@ type TLSClientConfig struct {
 	ServerName string `json:"serverName,omitempty"`
 	// InsecureSkipVerify disables TLS certificate verification.
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
-	// RootCAsSecrets defines a list of CA secret used to validate self-signed certificates.
+	// RootCAs defines a list of CA certificate Secrets or ConfigMaps used to validate server certificates.
+	RootCAs []RootCA `json:"rootCAs,omitempty"`
+	// RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+	// Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
 	RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
 	// CertificatesSecrets defines a list of secret storing client certificates for mTLS.
 	CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
--- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/zz_generated.deepcopy.go
@ -1162,6 +1162,32 @@ func (in *Retry) DeepCopy() *Retry {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RootCA) DeepCopyInto(out *RootCA) {
+	*out = *in
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConfigMap != nil {
+		in, out := &in.ConfigMap, &out.ConfigMap
+		*out = new(string)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RootCA.
+func (in *RootCA) DeepCopy() *RootCA {
+	if in == nil {
+		return nil
+	}
+	out := new(RootCA)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Route) DeepCopyInto(out *Route) {
 	*out = *in
@ -1347,6 +1373,13 @@ func (in *ServersTransportList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServersTransportSpec) DeepCopyInto(out *ServersTransportSpec) {
 	*out = *in
+	if in.RootCAs != nil {
+		in, out := &in.RootCAs, &out.RootCAs
+		*out = make([]RootCA, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.RootCAsSecrets != nil {
 		in, out := &in.RootCAsSecrets, &out.RootCAsSecrets
 		*out = make([]string, len(*in))
@ -1593,6 +1626,13 @@ func (in *TLS) DeepCopy() *TLS {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSClientConfig) DeepCopyInto(out *TLSClientConfig) {
 	*out = *in
+	if in.RootCAs != nil {
+		in, out := &in.RootCAs, &out.RootCAs
+		*out = make([]RootCA, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.RootCAsSecrets != nil {
 		in, out := &in.RootCAsSecrets, &out.RootCAsSecrets
 		*out = make([]string, len(*in))